DSA-2356

Executive Summary

Summary
Title	openjdk-6 security update

Informations
Name	DSA-2356	First vendor Publication	2011-12-01
Vendor	Debian	Last vendor Modification	2011-12-01
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentification	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform:

CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode.

CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code (such as applets) to elevate its privileges.

CVE-2011-3544 The Java scripting engine lacks necessary security manager checks, allowing untrusted Java code (such as applets) to elevate its privileges.

CVE-2011-3547 The skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code.

CVE-2011-3548 The java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code (such as applets) to elevate its privileges.

CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges.

CVE-2011-3552 Malicous Java code can use up an excessive amount of UDP ports, leading to a denial of service.

CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information.

CVE-2011-3554 JAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files.

CVE-2011-3556 The RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code.

CVE-2011-3557 The RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server.

CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions.

For the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.10-0+squeeze1.

For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 6b23~pre11-1.

We recommend that you upgrade your openjdk-6 packages.

Original Source

Url : http://www.debian.org/security/2011/dsa-2356

CWE : Common Weakness Enumeration

id	Name
CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14752

Oval ID:	oval:org.mitre.oval:def:14752
Title:	SSL and TLS Protocols Vulnerability
Description:	The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3389	Version:	7
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows 7	Product(s):
Definition Synopsis:
Vulnerable Microsoft Windows XP SP3 x86 Microsoft Windows XP (x86) SP3 is installed AND the version of schannel.dll is less than 5.1.2600.6175 OR Vulnerable Microsoft Windows XP SP2 x64, Windows Server 2003 x86/x64/ia64 SP2 Microsoft Windows XP SP2 x64, Windows Server 2003 x86/x64/ia64 SP2 Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed AND the version of schannel.dll is less than 5.2.3790.4935 OR Vulnerable Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 Microsoft Windows Vista (32-bit) Service Pack 2 is installed AND Microsoft Windows Vista x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed AND Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.0.6002.18541 OR LDR the version of schannel.dll is greater than or equal to 6.0.6002.22000 AND the version of schannel.dll is less than 6.0.6002.22742 OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.1.7600.16915 OR LDR the version of schannel.dll is greater than or equal to 6.1.7600.20000 AND the version of schannel.dll is less than 6.1.7600.21092 OR Vulnerable Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64/ia64 SP1 Microsoft Windows 7 x86/x64 SP1, Windows Server 2008 R2 x64/ia64 SP1 Microsoft Windows 7 (32-bit) Service Pack 1 is installed AND Microsoft Windows 7 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed AND GDR or LDR Service branch the version of schannel.dll is less than 6.1.7601.17725 OR LDR the version of schannel.dll is greater than or equal to 6.1.7601.21000 AND the version of schannel.dll is less than 6.1.7601.21861

Definition Id: oval:org.mitre.oval:def:13662

Oval ID:	oval:org.mitre.oval:def:13662
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3521	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Runtime Environment Java Development Kit
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

Definition Id: oval:org.mitre.oval:def:13947

Oval ID:	oval:org.mitre.oval:def:13947
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3544	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Runtime Environment Java Development Kit
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed

Definition Id: oval:org.mitre.oval:def:14339

Oval ID:	oval:org.mitre.oval:def:14339
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3547	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Development Kit Java Runtime Environment
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

Definition Id: oval:org.mitre.oval:def:14492

Oval ID:	oval:org.mitre.oval:def:14492
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3548	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Development Kit Java Runtime Environment
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

Definition Id: oval:org.mitre.oval:def:14318

Oval ID:	oval:org.mitre.oval:def:14318
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3551	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Runtime Environment Java Development Kit
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed

Definition Id: oval:org.mitre.oval:def:14465

Oval ID:	oval:org.mitre.oval:def:14465
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3552	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Development Kit Java Runtime Environment
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

Definition Id: oval:org.mitre.oval:def:14311

Oval ID:	oval:org.mitre.oval:def:14311
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3553	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Runtime Environment Java Development Kit
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed

Definition Id: oval:org.mitre.oval:def:14524

Oval ID:	oval:org.mitre.oval:def:14524
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3554	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Runtime Environment Java Development Kit
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

Definition Id: oval:org.mitre.oval:def:14316

Oval ID:	oval:org.mitre.oval:def:14316
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3556	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Development Kit Java Runtime Environment
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

Definition Id: oval:org.mitre.oval:def:14373

Oval ID:	oval:org.mitre.oval:def:14373
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3557	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Development Kit Java Runtime Environment
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

Definition Id: oval:org.mitre.oval:def:14394

Oval ID:	oval:org.mitre.oval:def:14394
Title:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE.
Description:	Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2011-3560	Version:	5
Platform(s):	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012	Product(s):	Java Development Kit Java Runtime Environment
Definition Synopsis:
Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Runtime Environment is less than 1.6.0:update_28 AND Java SE Runtime Environment 6 is installed OR Determine if the version of Java Development Kit is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Development Kit is less than 1.5.0:update32 AND Java SE Development Kit 5 is installed OR Determine if the version of Java Runtime Environment is less than 1.5.0:update32 and is greater than or equal to 1.5.0 Determine if the version of Java Runtime Environment is less than 1.5.0:update32 AND Java SE Runtime Environment 5 is installed OR Determine if the version of Java Development Kit is less than 1.6.0:update_28 and is greater than or equal to 1.6.0 Determine if the version of Java Development Kit is less than 1.6.0:update_28 AND Java SE Development Kit 6 is installed OR Determine if the version of Java Development Kit is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Development Kit is less than 1.7.0:update_1 AND Java SE Development Kit 7 is installed OR Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 and is greater than or equal to 1.7.0 Determine if the version of Java Runtime Environment is less than 1.7.0:update_1 AND Java SE Runtime Environment 7 is installed

CPE : Common Platform Enumeration

Type	Description	Count
Application	Google Chrome cpe:/a:google:chrome	1
Application	Microsoft Ie cpe:/a:microsoft:ie	1
Application	Mozilla Firefox cpe:/a:mozilla:firefox	1
Application	Opera Opera Browser cpe:/a:opera:opera_browser	1
Application	Oracle Jdk cpe:/a:oracle:jdk:1.7.0 cpe:/a:oracle:jdk:1.6.0:update_25 cpe:/a:oracle:jdk:1.6.0:update_26 cpe:/a:oracle:jdk:1.6.0:update_23 cpe:/a:oracle:jdk:1.6.0:update_24 cpe:/a:oracle:jdk:1.6.0:update_27 cpe:/a:oracle:jdk:1.6.0:update_22	7
Application	Oracle Jre cpe:/a:oracle:jre:1.7.0 cpe:/a:oracle:jre:1.6.0:update_26 cpe:/a:oracle:jre:1.6.0:update_25 cpe:/a:oracle:jre:1.6.0:update_23 cpe:/a:oracle:jre:1.6.0:update_22 cpe:/a:oracle:jre:1.6.0:update_27 cpe:/a:oracle:jre:1.6.0:update_24	7
Application	Oracle Jrockit cpe:/a:oracle:jrockit:r28.1.4 cpe:/a:oracle:jrockit:r28.1.3 cpe:/a:oracle:jrockit:r28.1.1 cpe:/a:oracle:jrockit:r28.1.0 cpe:/a:oracle:jrockit:r28.0.2 cpe:/a:oracle:jrockit:r28.0.1 cpe:/a:oracle:jrockit:r28.0.0	7
Application	Sun Jdk cpe:/a:sun:jdk:1.7.0 cpe:/a:sun:jdk:1.6.0:update_17 cpe:/a:sun:jdk:1.6.0:update_7 cpe:/a:sun:jdk:1.6.0:update_10 cpe:/a:sun:jdk:1.6.0:update_14 cpe:/a:sun:jdk:1.6.0:update2 cpe:/a:sun:jdk:1.6.0:update_4 cpe:/a:sun:jdk:1.6.0:update_11 cpe:/a:sun:jdk:1.6.0:update1 cpe:/a:sun:jdk:1.6.0:update_19 cpe:/a:sun:jdk:1.6.0:update_18 cpe:/a:sun:jdk:1.6.0:update_27 cpe:/a:sun:jdk:1.6.0:update_22 cpe:/a:sun:jdk:1.6.0:update_16 cpe:/a:sun:jdk:1.6.0:update_24 cpe:/a:sun:jdk:1.6.0:update_12 cpe:/a:sun:jdk:1.6.0:update_13 cpe:/a:sun:jdk:1.6.0:update_21 cpe:/a:sun:jdk:1.6.0:update_15 cpe:/a:sun:jdk:1.6.0:update_3 cpe:/a:sun:jdk:1.6.0 cpe:/a:sun:jdk:1.6.0:update_5 cpe:/a:sun:jdk:1.6.0:update_23 cpe:/a:sun:jdk:1.6.0:update_20 cpe:/a:sun:jdk:1.6.0:update_6 cpe:/a:sun:jdk:1.6.0:update_25 cpe:/a:sun:jdk:1.6.0:update_26 cpe:/a:sun:jdk:1.6.0:update1_b06 cpe:/a:sun:jdk:1.6.0:update_20:x64 cpe:/a:sun:jdk:1.5.0:update16 cpe:/a:sun:jdk:1.5.0:update31 cpe:/a:sun:jdk:1.5.0:update3 cpe:/a:sun:jdk:1.5.0:update1 cpe:/a:sun:jdk:1.5.0:update13 cpe:/a:sun:jdk:1.5.0 cpe:/a:sun:jdk:1.5.0:update27 cpe:/a:sun:jdk:1.5.0:update14 cpe:/a:sun:jdk:1.5.0:update23 cpe:/a:sun:jdk:1.5.0:update28 cpe:/a:sun:jdk:1.5.0:update7_b03 cpe:/a:sun:jdk:1.5.0:update21 cpe:/a:sun:jdk:1.5.0:update19 cpe:/a:sun:jdk:1.5.0:update17 cpe:/a:sun:jdk:1.5.0:update26 cpe:/a:sun:jdk:1.5.0:update7 cpe:/a:sun:jdk:1.5.0:update6 cpe:/a:sun:jdk:1.5.0:update20 cpe:/a:sun:jdk:1.5.0:update5 cpe:/a:sun:jdk:1.5.0:update22 cpe:/a:sun:jdk:1.5.0:update24 cpe:/a:sun:jdk:1.5.0:update10 cpe:/a:sun:jdk:1.5.0:update11 cpe:/a:sun:jdk:1.5.0:update25 cpe:/a:sun:jdk:1.5.0:update29 cpe:/a:sun:jdk:1.5.0:update18 cpe:/a:sun:jdk:1.5.0:update8 cpe:/a:sun:jdk:1.5.0:update2 cpe:/a:sun:jdk:1.5.0:update12 cpe:/a:sun:jdk:1.5.0:update15 cpe:/a:sun:jdk:1.5.0:update9 cpe:/a:sun:jdk:1.5.0:update11_b03 cpe:/a:sun:jdk:1.5.0:update4 cpe:/a:sun:jdk:1.4.2_9 cpe:/a:sun:jdk:1.4.2_8 cpe:/a:sun:jdk:1.4.2_7 cpe:/a:sun:jdk:1.4.2_6 cpe:/a:sun:jdk:1.4.2_5 cpe:/a:sun:jdk:1.4.2_4 cpe:/a:sun:jdk:1.4.2_33 cpe:/a:sun:jdk:1.4.2_32 cpe:/a:sun:jdk:1.4.2_31 cpe:/a:sun:jdk:1.4.2_30 cpe:/a:sun:jdk:1.4.2_3 cpe:/a:sun:jdk:1.4.2_29 cpe:/a:sun:jdk:1.4.2_28 cpe:/a:sun:jdk:1.4.2_27 cpe:/a:sun:jdk:1.4.2_26 cpe:/a:sun:jdk:1.4.2_25 cpe:/a:sun:jdk:1.4.2_24::solaris cpe:/a:sun:jdk:1.4.2_24 cpe:/a:sun:jdk:1.4.2_23 cpe:/a:sun:jdk:1.4.2_22 cpe:/a:sun:jdk:1.4.2_21 cpe:/a:sun:jdk:1.4.2_20 cpe:/a:sun:jdk:1.4.2_2 cpe:/a:sun:jdk:1.4.2_19 cpe:/a:sun:jdk:1.4.2_18 cpe:/a:sun:jdk:1.4.2_17 cpe:/a:sun:jdk:1.4.2_16 cpe:/a:sun:jdk:1.4.2_15 cpe:/a:sun:jdk:1.4.2_14 cpe:/a:sun:jdk:1.4.2_13 cpe:/a:sun:jdk:1.4.2_12 cpe:/a:sun:jdk:1.4.2_11 cpe:/a:sun:jdk:1.4.2_10 cpe:/a:sun:jdk:1.4.2_1 cpe:/a:sun:jdk:1.4.2	97
Application	Sun Jre cpe:/a:sun:jre:1.7.0 cpe:/a:sun:jre:1.6.0:update_11 cpe:/a:sun:jre:1.6.0:update_19 cpe:/a:sun:jre:1.6.0:update_20 cpe:/a:sun:jre:1.6.0:update_5 cpe:/a:sun:jre:1.6.0:update_14 cpe:/a:sun:jre:1.6.0:update_24 cpe:/a:sun:jre:1.6.0:update_22 cpe:/a:sun:jre:1.6.0:update_15 cpe:/a:sun:jre:1.6.0:update_12 cpe:/a:sun:jre:1.6.0:update_23 cpe:/a:sun:jre:1.6.0:update_21 cpe:/a:sun:jre:1.6.0:update_7 cpe:/a:sun:jre:1.6.0 cpe:/a:sun:jre:1.6.0:update_17 cpe:/a:sun:jre:1.6.0:update_2 cpe:/a:sun:jre:1.6.0:update_26 cpe:/a:sun:jre:1.6.0:update_3 cpe:/a:sun:jre:1.6.0:update_10 cpe:/a:sun:jre:1.6.0:update_16 cpe:/a:sun:jre:1.6.0:update_4 cpe:/a:sun:jre:1.6.0:update_27 cpe:/a:sun:jre:1.6.0:update_1 cpe:/a:sun:jre:1.6.0:update_6 cpe:/a:sun:jre:1.6.0:update_25 cpe:/a:sun:jre:1.6.0:update_13 cpe:/a:sun:jre:1.6.0:update_18 cpe:/a:sun:jre:1.6.0:update3 cpe:/a:sun:jre:1.6.0:update2 cpe:/a:sun:jre:1.5.0:update6 cpe:/a:sun:jre:1.5.0:update22 cpe:/a:sun:jre:1.5.0:update19 cpe:/a:sun:jre:1.5.0:update25 cpe:/a:sun:jre:1.5.0:update31 cpe:/a:sun:jre:1.5.0:update8 cpe:/a:sun:jre:1.5.0:update23 cpe:/a:sun:jre:1.5.0 cpe:/a:sun:jre:1.5.0:update7 cpe:/a:sun:jre:1.5.0:update5 cpe:/a:sun:jre:1.5.0:update14 cpe:/a:sun:jre:1.5.0:update2 cpe:/a:sun:jre:1.5.0:update13 cpe:/a:sun:jre:1.5.0:update29 cpe:/a:sun:jre:1.5.0:update4 cpe:/a:sun:jre:1.5.0:update12 cpe:/a:sun:jre:1.5.0:update3 cpe:/a:sun:jre:1.5.0:update20 cpe:/a:sun:jre:1.5.0:update15 cpe:/a:sun:jre:1.5.0:update21 cpe:/a:sun:jre:1.5.0:update27 cpe:/a:sun:jre:1.5.0:update9 cpe:/a:sun:jre:1.5.0:update1 cpe:/a:sun:jre:1.5.0:update17 cpe:/a:sun:jre:1.5.0:update18 cpe:/a:sun:jre:1.5.0:update16 cpe:/a:sun:jre:1.5.0:update11 cpe:/a:sun:jre:1.5.0:update26 cpe:/a:sun:jre:1.5.0:update24 cpe:/a:sun:jre:1.5.0:update10 cpe:/a:sun:jre:1.5.0:update28 cpe:/a:sun:jre:1.4.2_9 cpe:/a:sun:jre:1.4.2_8 cpe:/a:sun:jre:1.4.2_7 cpe:/a:sun:jre:1.4.2_6 cpe:/a:sun:jre:1.4.2_5 cpe:/a:sun:jre:1.4.2_4 cpe:/a:sun:jre:1.4.2_33 cpe:/a:sun:jre:1.4.2_32 cpe:/a:sun:jre:1.4.2_31 cpe:/a:sun:jre:1.4.2_30 cpe:/a:sun:jre:1.4.2_3 cpe:/a:sun:jre:1.4.2_29 cpe:/a:sun:jre:1.4.2_28 cpe:/a:sun:jre:1.4.2_27 cpe:/a:sun:jre:1.4.2_26 cpe:/a:sun:jre:1.4.2_25 cpe:/a:sun:jre:1.4.2_24 cpe:/a:sun:jre:1.4.2_23 cpe:/a:sun:jre:1.4.2_22 cpe:/a:sun:jre:1.4.2_21 cpe:/a:sun:jre:1.4.2_20 cpe:/a:sun:jre:1.4.2_2 cpe:/a:sun:jre:1.4.2_19 cpe:/a:sun:jre:1.4.2_18 cpe:/a:sun:jre:1.4.2_17 cpe:/a:sun:jre:1.4.2_16 cpe:/a:sun:jre:1.4.2_15 cpe:/a:sun:jre:1.4.2_14 cpe:/a:sun:jre:1.4.2_13 cpe:/a:sun:jre:1.4.2_12 cpe:/a:sun:jre:1.4.2_11 cpe:/a:sun:jre:1.4.2_10 cpe:/a:sun:jre:1.4.2_1 cpe:/a:sun:jre:1.4.2	94
Os	Microsoft Windows cpe:/o:microsoft:windows	1

SAINT Exploits

Description	Link
Oracle Java Rhino Script Engine Code Execution	More info here

ExploitDB Exploits

id	Description
2011-11-30	Java Applet Rhino Script Engine Remote Code Execution

Open Source Vulnerability Database (OSVDB)

id	Description
76512	Oracle Java SE JRE JAXWS Component Unspecified Remote Information Disclosure
76511	Oracle Java SE JRE Networking Component Unspecified Remote Information Disclo...
76507	Oracle Java SE JRE JSSE Component Unspecified Remote Issue
76506	Oracle Java SE JRE RMI Component Unspecified Remote Issue (2011-3557)
76505	Oracle Java SE JRE RMI Component Unspecified Remote Issue (2011-3556)
76502	Oracle Java SE JRE 2D Component Unspecified Remote Issue
76500	Oracle Java SE JRE Rhino Javascript Error Parsing Input Sanitation Weakness R...
76498	Oracle Java SE JRE Component Unspecified Remote Issue (2011-3554)
76497	Oracle Java SE JRE Networking Component java.net.Socket API UDP Socket Satura...
76496	Oracle Java SE JRE IIOP Deserialization Applet Handling Remote Code Execution
76495	Oracle Java SE JRE AWT Component Unspecified Remote Issue (2011-3548)
74829	SSL Chained Initialization Vector CBC Mode MiTM Weakness

Metasploit Database

id	Description
2011-10-18	Java Applet Rhino Script Engine Remote Code Execution

Global Informations

Type	Count
Oval ID(s)	12
CPE ID(s)	217
Saint Exploit(s)	1
osvdb(s)	12
ExploitDB Exploit(s)	1
Metasploit Exploit(s)	1

Related	Severity
DSA-2358	(Critical)
CVE-2011-3554	(Critical)
CVE-2011-3548	(Critical)
CVE-2011-3544	(Critical)
CVE-2011-3521	(Critical)
CVE-2011-3551	(Critical)
CVE-2011-3556	(High)
CVE-2011-3557	(Medium)
CVE-2011-3560	(Medium)
CVE-2011-3547	(Medium)
CVE-2011-3389	(Medium)
CVE-2011-3553	(Low)
CVE-2011-3552	(Low)